WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Republic of Estonia

Republic of Estonia

Constitutional Privacy Framework

The 1992 Estonia Constitution recognizes the right of privacy, secrecy of communications, and data protection. Article 42 states, "No state or local government authority or their officials may collect or store information on the persuasions of any Estonian citizen against his or her free will." Article 43 states, "Everyone shall be entitled to secrecy of messages transmitted by him or to him by post, telegram, telephone or other generally used means. Exceptions may be made on authorization by a court, in cases and in accordance with procedures determined by law in order to prevent a criminal act or for the purpose of establishing facts in a criminal investigation." Police must obtain a warrant in order to intercept communications. Illegally obtained evidence is not admissible in court.[2132] Article 44 (3) of the Constitution states, "Estonian citizens shall have the right to become acquainted with information about themselves held by state and local government authorities and in state and local government archives, in accordance with procedures determined by law. This right may be restricted by law in order to protect the rights and liberties of other persons, and the secrecy of children's ancestry, as well as to prevent a crime, or in the interests of apprehending a criminal or to clarify the truth for a court case."[2133]

Statutory Rules on Privacy

The Riigikogu, Estonia's Parliament, enacted the Personal Data Protection Act (PDPA) in June 1996.[2134] The Act protects the fundamental rights and freedoms of persons with respect to the processing of personal data and in accordance with the right of individuals to obtain freely any information that is disseminated for public use. The PDPA divides personal data into two groups – non-sensitive and sensitive personal data. Sensitive personal data reveal political opinions, religious or philosophical beliefs, ethnic or racial origin, health, sexual life, criminal convictions, legal punishments and involvement in criminal proceedings. Processing of non-sensitive personal data is permitted without the consent of the respective individual if it occurs under the terms set out in the PDPA. Processed personal data are protected by organizational and technical measures that must be documented. Information relating to criminal charges is treated as sensitive only if it is announced prior to the trial or before the judgment. Such data is deemed sensitive if it is necessary to protect morality or individual's private or family life, or necessary in the interests of a minor, a victim, a witness or a fair trial.[2135] Chief processors[2136] must register the processing of sensitive personal data with the data protection supervision authority. Registration applications are accepted only via the Internet, through the home page of the Data Protection Inspectorate.[2137] Between 1999 and April 2005, 1,494 data processors of sensitive data registered with the Data Protection Inspectorate.

In April 1997, the Riigikogu passed the Databases Act (DA).[2138] The Databases Act is a procedural law for the establishment of national databases. The law sets out the general principles for the maintenance of databases, prescribes requirements and protection measures for data processing, and unifies the terminology to be used in the maintenance of databases. Pursuant to the Databases Act, the statutes of state registers or databases that were created before the law took effect must be brought into line with the Act within two years. The Act also mandates the establishment of a state register of databases for state and local government databases, as well as databases containing sensitive personal data maintained by persons in private law. The chief processor of the register has the right to make proposals to the government, to the chief processors of various databases, and to the state information systems. He or she would also be responsible for coordinating authority with respect to the expansion, merger or liquidation of databases, database cross-usage, or the organization of data processing or data acquisition in a manner aimed at avoiding duplication of effort or substantially repetitive databases. In 2002, the Databases Act was amended. The changes related to support systems for state and local registers.[2139]

Data Protection Authority

The Data Protection Inspectorate (DPI) is the supervisory authority for the PDPA, the Databases Act and the Public Information Act (PIA).[2140] On February 14, 2007, the DPI was reorganized, moving the DPI from an agency operating under the authority of the Ministry of Internal Affairs, to an independent agency operating under the Ministry of Justice.[2141] The DPI’s objective is “state supervision of the processing of personal data, management of databases and access to public information.”[2142] The Director General manages the DPI and is appointed to a five-year term by the Government of the Republic based on the Minister of Justice’s recommendation. The Director General cannot be appointed to the office for more than two terms.

Supervision regarding data protection is regulated by the PDPA, the DA, and the PIA.[2143] The processing of data and liability are also regulated by the Health Protection Act, Archives Act, State Secrets Act, Statistics Act, Code of Administrative Offenses and Population Register Act.

The agency can conduct investigations and demand documents, impose fines and administrative sanctions.[2144] The DPI has three departments and 31 employees.[2145] The Development and Analysis Department is responsible for compiling reports, issuing press releases and organizing the foreign relations and international cooperation of the DPI, including the work of international data protection and freedom of information. The Control Department is divided into three divisions: Registration, Proceedings and Supervisory. The Registration Division processes incoming applications for those wishing to process sensitive personal data. The Proceedings Division resolves complaints, challenges and disputes that fall under competence of the Inspectorate and carries out misdemeanor procedures within the Inspectorate's competence. The Supervisory Division implements the supervision and control over data processing and access to public information. The General Department performs administrative functions.

During the period from October 2005 to September 2006, the DPI received 110 complaints, clarifications and memoranda based on PDPA violations. This resulted in 11 misdemeanor decisions and an additional 10 misdemeanor proceedings.[2146] During the period from October 2005 to September 2006, the DPI received 414 registration applications and registered 229 processors of sensitive data.[2147] From October 2005 to September 2006, the DPI performed 48 on-site verification visits to determine compliance with the PDPA.[2148] The DPI also held 34 training sessions on personal data protection in various locations.[2149]

Estonia’s integration into the Schengen information system and the Europol and Custom Information Systems is not expected to happen until October 2008 “at the earliest.”[2150] This implies preliminary work – professional training, acquaintance with relevant laws and complementing of supervision methodology in case of need.[2151]

The DPI maintains close relations with the data protection authorities (DPAs) in other central and eastern European countries. In December 2001, the data protection commissioners from the Czech Republic, Hungary, Lithuania, Slovakia, Estonia, Latvia and Poland signed a joint declaration agreeing to closer cooperation and assistance. The commissioners agreed to meet twice a year in the future, to provide each other with regular updates and overviews of developments in their countries, and to establish a common website for more effective communication.[2152] The DPI participates in the e-PRODAT project, which includes Data Protection Authorities, Universities and Regional/City Governments from Spain, Italy, Greece and Estonia. The main goals of e-PRODAT are: The exchange of knowledge and experiences related to personal data protection in public bodies of different European countries; the creation of an Internet based “European e-Government data protection observatory”; identification of best data protection practices already in use for e-Government and other public services and making recommendations to improve data protection standards in the public sector.[2153]

Health Privacy

On December 13, 2000, the Estonian Parliament approved the Human Genes Research Act.[2154] The Act created a national genetic database to be used for research into disease. The database is owned and controlled by the Estonian Genome Project Foundation.[2155] However, the Estonian government provides only 20 percent of the funding for the project. A United States registered company, EGeen International Corporation, has agreed to provide the remaining financing.[2156] Since 2001, approximately EUR 3.8 million have been expanded on the project, 3.5 million of which was received from international venture capital funds and private investors.[2157] In April 2004, EGeen agreed to provide an additional EUR 1.6 million to the project for the collection and processing of samples from 5,000 donors.[2158] The focus of the Estonian database is different than that of the Icelandic database. Rather than looking for genes that cause disease, as in Iceland, the Estonian project is focusing on how genes influence individual responses to medicines.[2159] The main project is underway after successful completion of pilots in three regions.[2160]

Privacy protection for donors is included in the project design. Doctors who collect samples and medical histories for the project must register their databases with the DPAs before they can participate in the project. Individual data is stored in coded form on computers that are not connected to networks. The rights of donors and the consent form they have to sign before donating their samples are publicly available on the Estonian Genome Project Foundation website. The rights include voluntary nature of the consent, the right not to know the nature of one's genetic profile, the right to obtain one's own information or to give one's doctor the ability to obtain the information, and the right to have all data removed and deleted from the database.[2161]

The DPI has expressed concern over the lack of pharmacy service providers registering for sensitive information processing.[2162] There are approximately 300 pharmacy service providers. Each health care provider must have a method for registering complaints, their resolutions and patient feedback and on time notification of patients on the waiting list, their use of different health care specialists and changes of health care professionals.[2163]

National Identification Card Schemes

A new Law on Personal Identity Documents, requiring mandatory identity (ID) cards for all Estonian citizens over the age of 15 and resident aliens, took effect on January 1, 2002. The first Estonian ID Card was issued on January 28, 2002. As of September 8, 2006, a total of 989,073 cards were issued, covering over 70% of the Estonian population.[2164]

On its face, the card contains standard personal information including name, sex, date of birth, place of birth, citizenship, personal identification code (national ID code), date of expiration and signature, document number and a photograph of the holder.[2165] The card also incorporates a microchip storing an electronic identification certificate and an asymmetric key pair allowing for digital identification and digital signatures. The usage of digital signature is mandatory for public sector institutions. Digital signatures are used throughout the Estonian court system in communication between proceedings parties and in the Estonian Tax Board to receive any tax documents from individuals or businesses, and in order to conclude loan agreements in online banks.[2166] A personal identification number (PIN) is currently used to activate the card but this may eventually be replaced by a biometric identifier.[2167] For resident aliens with valid papers, the ID card also contains residence and work permit data.[2168]

All the ID codes of issued certificates of ID cards are in the certificate database, and access is provided through the homepage of the Certificate Center. Some telephone services in Estonia afford authentication using only names and ID codes, thus this may lead to the identity-theft, because of the availability of the ID codes at the homepage of the Certificate Center.[2169]

In May 2007, the Government’s idBlog announced a “Mobiil-ID service” giving customers the ability to positively identify themselves and issue a digital signature by using their mobile telephone.[2170] The user enters into a contract to use the Mobiil-ID services, swaps out their old SIM card for a new one and “gets the usual PIN and PUK keys plus additional codes needed for Internet-based personal identification and issuing of digital signatures.”[2171] Users can activate their service through the Internet using their ID card, PIN code and a card reader.


On June 28, 2005, the Estonian Parliament decided to allow Internet voting. E-voting is provided for in the Local Government Council Election Act (§ 50), Riigikogu Election Act (§ 44), European Parliament Election Act (§ 43) and the Referendum Act (§ 37). The passage of the Law on Personal Identity Documents means that there was already the infrastructure enabling secure electronic personal authentication and ID cards was already in place. E-voting secret and takes places six to four days before Election Day.[2172] The system uses asymmetric cryptography, containing a system key pair, to guarantee voting secrecy.[2173] A voter may change their vote either by voting electronically or by casting a paper ballot in a polling station. The last vote is the one that is counted.

The Estonian e-voting system, which uses the Estonian electronic ID card[2174] to identify voters, was developed by IT services company Cybernetica[2175] for the Estonian National Electoral Committee. In order to vote online, voters need to access the election website. The voters then identify themselves with the ID cards. The Voter Forwarding Server (VFS) then checks the voter’s personal identification code from the voter list database and verified the eligibility of the voter and identified their constituency. The VFS notifies the voters if they have already voted. The voters select their candidates and are asked to confirm. The votes are then encrypted and is signed with the voters’ digital signatures. As of August 2005, over 800,000 ID cards were issued, covering most of the eligible voters in the country.[2176] E-voting was used in the 2005 Elections to the Local Government Councils and again in 2007 for the Parliamentary elections. In the 2007 elections, 5.5% of the total electorate who participated in the elections voted electronically, amounting to 30,243 people.[2177]

Major Privacy Case Law

In 2004, the DPI was involved in two cases which found their way to the Supreme Court. Both of them were with regard to access to public information. The first one concerned the DPI and the Estonian Tax and Customs Board.[2178] The case involved the Board’s register of documents and the restriction on access.[2179] The Supreme Court upheld the previous decisions made by administrative court and circuit court. According to them, the complaint made by the Board is not within the sphere of competence of the administrative court. Thus the decision made by DPI (that the restriction is illegal) was not proceeded by the courts. In November 2004, the restriction on access was made legal with the alteration of Taxation Act.[2180]

Another case involved the DPI and a private individual.[2181] The case was about the complaint made by the private person on the DPI's decision on appeal. According to the DPI's challenge, the private person (who was a member of city council) had no right to ask information about the wages and salaries of the employees of the institutions administrated by the city, because these employees are not officials. The Supreme Court's decision was that the private individual wanted to get information as a member of the city council and because of that, this was not even a request of information for the purposes of Public Information Act.[2182] The Supreme Court repealed previous decisions made by the administrative court and circuit court and concluded the proceeding because the employees of the institutions administrated by the city are not officials and their salaries and wages are not public. The DPI's decision was sustained.

Wiretapping and Surveillance Rules

The 1994 Surveillance Act regulates the interception of communications, covert surveillance, undercover informants, and police and intelligence databases.[2183] Surveillance can be approved by a "reasoned decision made by the head of a surveillance agency." "Exceptional surveillance" requires the permission of a judge in the Tallinn Administrative Court for serious crimes. The punishment for illegal surveillance is a fine and three years imprisonment for general surveillance activity, and five years imprisonment for special measures like opening correspondence or telephone bugging.[2184] Illegally obtained evidence is not admissible in court. Citizens have a right under the Surveillance Act to obtain access to information held about them by surveillance agencies. Agencies must respond within three months if the agency maintains information about them.[2185] In October 1999, the Estonian Police Department refused to grant the Tallinn City Police authority the right to plant eavesdropping devices in apartments, offices and telephones to combat organized crime.[2186] The law was amended in May 2000 to allow the tax police to conduct surveillance.[2187]

On January 1 2005, the new Electronic Communications Act[2188] came in force. The act replaced the Telecommunication Act and is in accordance with the EU legislation. After the passage of EU Directive 2006/24/EU on data retention on March 15, 2006, Estonia’s law may change. Member countries must make laws necessary to comply with the directive no later than September 15, 2007.[2189] Member countries may postpone application of the directive to “the retention of communications data relating to Internet Access, Internet telephony and Internet e-mail” until March 15, 2009.[2190] Estonia has said that it will postpone application of the Directive to the retention of communications data relating to Internet access, Internet telephony and Internet e-mail until 36 months after the date of the adoption of the Directive.[2191]

Open Government

The Public Information Act was approved by the Parliament and entered into force in January 1, 2001. Supervision and enforcement of the Act will be conducted by the DPI. The law includes significant provisions on electronic access. Government departments and other holders of public information will have a duty to post information on the web, and e-mail requests must be treated as official requests for information. Amendments in 2003 prohibited pretexting.[2192] During the period from October 2005 to September 2006, the DPI received 99 complaints, requests for explanation or memoranda based on the Public Information Act. This resulted in 8 misdemeanor proceedings.[2193] The majority of the complaints stemmed either from government websites violating provisions of the PIA or failure of the website owner to comply with requests for information.[2194]

In 2006 the Centre of Registers of the Ministry of Justice was merged with the Ministry of Justice’s IT division becoming the Centre of Registers and Information Systems of the Ministry of Justice.[2195] The purpose of the agency is to develop and administer the registers and infosystems in the Ministry of Justice and to provide communication and info technological services.[2196]

Estonia enacted new security measures for information systems on August 12, 2004 which are set to expire on December 31, 2007.[2197] The regulation enacts usable information systems and related security measures systems in the maintenance of state and local governments' databases. The security measures system consists of the regulation of specifying security requirements and the description of data's organizational, physical and infotechnological security measures. The regulation comprises the description of security classes and levels. Security classes are divided into four components: time criticality, severity of consequences of delay, integrity and confidentiality. A new information policy action plan, taking into account the objectives and priorities of the EU information strategy i2010, is currently under discussion in the Ministry of Economic Affairs and Communications.[2198]

International Obligations

Estonia is a member of the Council of Europe and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2199] In November 2001, Estonia ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) (Convention No. 108).[2200] Also in November, Estonia signed and ratified the CoE Convention on Cybercrime.[2201]

[2132] The Human Rights Report submitted to the United States Congress by the United States Department of State, Section 1f <>.
[2133] Constitution of Estonia, available at <>.

[2134] The 1996 Act was repealed with the creation of a new PDPA to bring it into full compliance with the 1995 EU Data Protection Directive. The bill passed in February 2003 and entered into force on October 1, 2003. Law on the Protection of Personal Data (RT I 1996, 48, 944), available in English at <>.
[2135] RT1 I 2003, 26, 158 § 4.
[2136] Based on the definition in the 2003 version of the Personal Data Protection Act, "chief processors" are equivalent to "controllers" as it is defined by Art. 2 (d) of the European Union Data Protection Directive (1995/46/EC). The Estonian term "authorized processor" is the equivalent of the term "processor" as it is defined by Art. 2 (e) of the EU Directive 1995/46/EC.
[2137] E-mail from Triinu Jaaksoo, Public Relations Officer, Estonian Data Protection Inspectorate to Cédric Laurant, Policy Counsel, Electronic Privacy Information Center (EPIC), July 4, 2003 (on file with EPIC),

[2138] RT* I 1997, 28, 423: Databases Act available in English at <>.
[2139] RT I 2002, 63, 387 available at <>.

[2140] RT* I 1997, 28, 423 §§ 43, 44.
[2141] Regulation No. 10, February 14, 2007, available in English at <>.
[2142] Id. at § 8.

[2143] RT1 I 2000, 92, 597: Public Information Act, passed November 15, 2000 entered into force on January 1, 2001, last amended February 12, 2003, available in English at <>.

[2144] Homepage <>.
[2145] Id. at § 18.

[2146] Data Protection Inspectorate, “Report Concerning the Performance of the Personal Data Protection Act and the Public Information Act 2006,” at 11, available in English at <>.
[2147] Id. at 6
[2148] Id. at 14.
[2149] Id. at 6

[2150] “Estonia’s Schengen accession deferred,” Permanent Representation of Estonia to the EU, September 8, 2006 <>.
[2151] The Yearbook of EDPI, available at <>.

[2152] E-mail from Karel Neuwirt, President, Office for Personal Data Protection, Czech Republic, to Sarah Andrews, Research Director, Electronic Privacy Information Center, May 15, 2002 (on file with EPIC).
[2153] Homepage <>.

[2154] RT I 2000, 104, 685: Human Genes Research Act, available in English at <>.
[2155] Estonian Genome Project Foundation official website <>.
[2156] "Estonian Genome Foundation Signs Pilot Project Financing Accords," Baltic News Service, January 2, 2002.
[2157] "The Estonian Government Decided to Allocate Funds for the Estonian Genome Project," January 23, 2004, <>.
[2158] "The Estonian Genome Project Foundation and EGeen Agreed upon Year 2004 Financing," April 5, 2004, <>.
[2159] Mark Frary, “Estonian genome project ahead of schedule,” Estonian Genome Foundation, December 23, 2002 <>.
[2160] A. Metspalu et al., "The Estonian Genome Project in the Context of European Genome Research," Estonian Genome Foundation, April 30, 2004 <>.

[2161] Regulation No. 125 (December 17, 2001) available in English at <>.

[2162] Data Protection Inspectorate, “Report Concerning the Performance of the Personal Data Protection Act and the Public Information Act 2006,” at 8, supra.
[2163] RTL 2004, 158, 2376, December 28, 2004.

[2164] Jaak Tepandi, “A Population-Wide ID card (Estonia),” <>.

[2165] Regulation No. 370 of December 4, 2001 on the Establishment of Format and Technical Description of Identity Card and List of Data Entered on Identity Card and Determination of Period of Validity of Digital Data Entered on Identity Card.
[2166] Estonian Citizenship and Migration Board, supra.
[2167] "European States Roll out EID Cards," Cards International, February 22, 2002.
[2168] Estonian Citizenship and Migration Board, “Making Life Easier” available in English at <>.

[2169] Valdo Praust, “ID Code is not suitable for authentication” Äripäev, December 9, 2004, available in Estonian at <>.

[2170] idBlog, “EMT Launches the Mobiil-ID Service,” May 2, 2007 <>.
[2171] Id.

[2172] The National Election Committee, “E-Voting System Overview,” 2005 at 6, available in English at <>.
[2173] Id.

[2174] See <>.
[2175] Cybernetica official homepage <>.
[2176] The National Election Committee, “E-Voting System Overview,” at 4, supra.
[2177] idBlog, “The Number of Electronic Voters Tripled,” March 7, 2007 <>.

[2178] Available in Estonian at <>.
[2179] Supreme Court case nr. 3-3-1-38-04, available in Estonian at <>.
[2180] Amendment of the Taxation Act, available at <>.

[2181]Available at <>.
[2182] Public Information Act, available at <>.

[2183] RT* I 1994, 16, 290: Surveillance Act, February 22, 1994, available in English at
[2184] Criminal Code Art. 134.
[2185] RT* I 1994, 16, 290: Surveillance Act, February 22, 1994, supra.
[2186] Baltic News Service, October 8, 1999.
[2187] "Estonian Government Approves Plans for Tax Police," BBC Worldwide Monitoring, May 16, 2000.

[2188] RT2 I 2004, 87, 593: Electronic Communication Act, in English available at <>.

[2189] Eur. Parl. Dir. 2006/24/EU available at <>
[2190] Id.
[2191] Official Journal of the European Union, Directive 2006/24/EC of the European Parliament and of the Council, March 15, 2006, at 8, available in English at <>.

[2192] RT1 I 2000, 92, 597, amended February 12, 2003, available in English at <>.
[2193] Data Protection Inspectorate, “Report Concerning the Performance of the Personal Data Protection Act and the Public Information Act 2006,” at 21, supra.
[2194] Id.

[2195] Ministry of Economic Affairs and Communications, “Information Technology in Public Administration of Estonia Yearbook 2005,” 2006 at 78, available in English at <>.
[2196] Centre of Registers and Information Systems official homepage <>.

[2197] RT I 26.08.2004.63.443, available at <> (in Estonian).
[2198] Ministry of Economic Affairs and Communications, “Information Technology in Public Administration of Estonia Yearbook 2005,” 2006 at 8, supra.

[2199] Signed May 14, 1993; ratified April 16, 1996; entered into force April 16, 1996.
[2200] Signed January 24, 2000; ratified November 14, 2001; entered into force March 01, 2002.
[2201] Signed November 23, 2001; ratified December 5, 2003; entry into force July 1, 2004.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback